Email Authentication

What is DMARC?

Hero Image
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a critical component of a truly secure email program. This authentication standard is the best method brands have to protect their customers, employees and brand from phishing and spoofing attacks.
Hidden Anchor

History of DMARC

Though it’s almost a decade old, DMARC is the most important protection to be added to the list of email authentication standards. SPF and DKIM, DMARC was designed to provide greater email security for senders. It was initially used by high-value online industries, like financial services.

Now, though, DMARC is supported by all major mailbox providers and is key in both protecting email from malicious activity and improving deliverability. While DMARC is universally recommended for email marketers across all industries, it’s not widely adopted due to its complexity and tiered approach to implementation.

Hidden Anchor

How does DMARC work?

The most important elements of DMARC are alignment and reporting.

Alignment ensures there is no spoofing of a critical authentication signal: the “header from” address. DMARC alignment indicates the “header from” domain name matches the “envelope from” domain, as determined by an SPF check. This is how DMARC builds on the basic security of SPF.

Then, DMARC verifies if the “header from” domain matches the “d= domain” in the DKIM signature. That’s where DKIM plays its role.

Putting this all together, in order to pass DMARC authentication, a message is required to pass SPF authentication and prove SPF alignment, plus DKIM authentication and DKIM alignment. If it fails both signals of alignment, the message fails.

Hidden Anchor

Who can use DMARC?

Everyone can use DMARC, once a set of requirements is met. If you’re an email marketer without any kind of authentication standards set up for your mail, you need to take a few steps before using DMARC. First, you’ll need to properly configure both SPF and DKIM. Since DMARC works on those checks coming back either as matches or not, it can’t perform its validation function without those two elements working properly.

Once you have SPF and DKIM records for your domain published to the DNS, you can begin using DMARC. While it takes some up-front work to qualify for DMARC, there aren’t any disqualifiers beyond an actionable willingness to protect your email.

Hidden Anchor

Mitigate the impact of spoofing with DMARC

Just because a message fails DMARC doesn’t mean it won’t be delivered. It simply indicates a lack of alignment between SPF and/or DKIM checks. If you’re receiving and analyzing DMARC reports, you’ll see this activity, but unless you choose to enforce DMARC, the mailbox provider (MBP) won’t follow the action you outline for emails failing DMARC. You do this by determining your requested mail receiver policy.

Because DMARC is more powerful than basic authentication standards like SPF and DKIM.

Hidden Anchor

Monitor policy: p=none

The starter policy for DMARC is basic monitoring. Creating a record with p=none enables nothing but the ability to get visibility into DMARC results. You’ll receive daily reports with the information so you can determine how much of the failing mail is legitimate and how much is not. Failures can indicate several things. First and foremost, your domain might be spoofed. It’s also possible people within your organization are sending email from your domain without letting you know. With these reports, you can understand your DMARC results and work to resolve any issues identified.

Lots of email marketers implement p=none and leave it at that, assuming this level of protection is adequate enough. However, without providing instruction to the receiving server, you don’t have any control over the handling of failed messages and you don’t provide any interference in the potential delivery of malicious mail.

Hidden Anchor

Quarantine policy: p=quarantine

Going one step further from p=none, you can instruct MBPs to segregate mail failing DMARC from those that don’t. This is a quarantine policy indicated by a p=quarantine in your DMARC record. While you have to begin your DMARC journey with p=none, p=quarantine is the next escalation activity in truly protecting your recipients from possibly harmful communication from your brand.

After the receiving server checks the DMARC record to confirm alignment, it will follow the next course of action determined by your policy. With p=quarantine, mailbox providers will follow your direction and filter the mail into a quarantine or spam folder.

This step is very important in keeping phishing and spoofing scams away from your recipients. By protecting message recipients you better protect your brand from reputation damage and negative impacts on your email deliverability as a whole.

It’s also worth noting, once you implement a p=quarantine policy, you’re at DMARC “enforcement.” This means you’re eligible to use BIMI, an email specification that allows brand logos to display within the inbox of supporting email clients.

Hidden Anchor

Reject policy: p=reject

If you want to provide the fullest protection DMARC can offer, you’ll want to enforce DMARC at its strict policy level, p=reject. Much like it sounds, if a message from your domain fails DMARC, the policy dictates the MBP to reject the email entirely.

This level means you’ve taken every step available to make your DMARC record work for you. The reject policy allows monitoring for illegitimate or harmful mail, handling it definitively by refusing it, and reporting back to you on this activity every day.

Surprisingly, adoption of DMARC itself is relatively low, and for marketers using it, few are using it at p=reject.

Learn more about DMARC, the value it provides, and the requirements to begin your implementation.

Hidden Anchor

Why use DMARC for email?

DMARC is the biggest safety check for your email program. It is designed to protect your brand from spoofing and phishing much like SPF and DKIM, but DMARC is significantly harder for spammers to crack.

While monitoring email performance is important for all email marketers, it’s also important to understand how your brand is being used in the ecosystem. Can you confirm there is no unauthorized mail originating from your domains? With DMARC, you get insight into not only performance, but actual activity from your domains. If you’re using DMARC at enforcement, you can be more assured any malicious mail potentially coming from your domain is automatically being rerouted away from your recipients.

Hidden Anchor

What does a DMARC record look like?

DMARC records don’t need to be intimidating.

There are specific components to understand to make building a DMARC record easier. First, DMARC code relies on tags. Tags are how it speaks to the receiving mail server. Only two are required.

  • v: Version. This identifies the TXT record as DMARC, making it distinguishable from other TXT records. It needs to have a value of “DMARC1” and must be listed as the first tag in the whole record. Without the tag listed first or the value equaling DMARC1, the receiver will simply ignore it.
  • p: Requested Mail Receiver Policy. This is where your policy level matters. Your DMARC record must include a p= value so the receiver knows what actions to take when running the DMARC check. You can have p=none, p=quarantine, or p=reject.
You can also format the DMARC record to protect your top-level, or main, domain. Any subdomain you use from there will also be protected. For example, if we send mail from validity.com but we also have a store sending email from store.validity.com, a DMARC record to protect validity.com would apply to the store domain as well.

If you’d like subdomains to have a different enforcement policy than your top-level domain, you can designate that within the record. For instance, validity.com should be at reject but store.validity.com should be at none. The record would read “v:DMARC1; p=reject; sp=none” to properly apply the policies. P indicates the primary policy and sp designates the subdomain policy.

Within the record, you can designate where to send your DMARC reports, both aggregate and forensic.

There are several other tags you can use in your record to change default values assumed when the server is checking for DMARC alignment. These don’t need to be manipulated, but you can if you want a more customized report.

Hidden Anchor

What do DMARC reports look like?

It is integral you understand how to interpret the information a DMARC policy will provide you. Without the ability to turn insight into action, you’re not using the standard to its fullest extent.
Hidden Anchor

Aggregate reports

These are your daily reports. They’ll show you all the information gleaned from your email deployments. This includes the IPs from which the emails originated, plus your SPF and DKIM results. What you learn from these reports allows you to confirm your legitimate email is being categorized as such, and you’ve got all your appropriate IPs authorized.

Automate your DMARC reporting with Everest to quickly identify and respond to issues that could cause significant damage.

Hidden Anchor

Forensic reports

You’ll receive a forensic report when an email you sent fails SPF and DKIM authentication. Thanks to the added layer of information DMARC can provide, you’re able to get details about the incident. You’ll see which address it came from and where it went, plus a subject line. You might get the email header as well.

As you can imagine, every authentication failure could begin to pile up. After you’re comfortable with your aggregate reports, you might want to only enable reports when a spoofed email is detected.

Hidden Anchor

Biggest misunderstanding about DMARC

There is no silver bullet to solve deliverability issues. Everyone wants one, but there just isn’t. While there are many steps you can take to improve your deliverability, authentication is only part of it. However, there’s a big misconception about the benefit of DMARC, since it’s considered an advanced form of authentication.
Hidden Anchor

DMARC is not a quick deliverability fix

DMARC can greatly improve your ability to see issues and take appropriate action as quickly as possible. You’ll be more likely to notice a spoofing or phishing incident with DMARC enabled, meaning your email reputation won’t be quietly damaged without your knowledge until it’s too late.

You will also benefit from the decrease in incidences of SPF and DKIM failures because the only mail coming from your domains can be verified on your end as legitimate. A steady stream of threat-free email is always a boon to your email reputation, and your delivery rates should improve along with the trend.

Hidden Anchor

Troubleshooting

There are several issues you might run into after implementing DMARC. For instance, you might see your email consistently being placed in the spam folder or repeatedly rejected by receiving servers.

A smart early step in troubleshooting DMARC is to confirm the record is configured properly. If you can verify there are no problems with the record itself, move on to analyzing your SPF and DKIM records. Remember, DMARC checks for alignment for both SPF and DKIM.

You should also check your email headers to understand whether or not they’re passing SPF and DKIM. If there are issues there, you don’t truly have a DMARC problem.

Hidden Anchor

FAQ

Hidden Anchor

Do I need DMARC?

Everyone can benefit from DMARC. Unfortunately, the majority of senders don’t use DMARC, which puts not only their brand and sender reputations at risk, but also their email recipients. You’ll know if you have SPF or DKIM failures, but you won’t benefit from the granularity of DMARC reports. Without DMARC, you’re leaving lots of information on the table, and without those insights, your email program could be at risk.
Hidden Anchor

Can I set up DMARC by myself?

Everyone can benefit from DMARC. Unfortunately, the majority of senders don’t use DMARC, which puts not only their brand and sender reputations at risk, but also their email recipients. You’ll know if you have SPF or DKIM failures, but you won’t benefit from the granularity of DMARC reports. Without DMARC, you’re leaving lots of information on the table, and without those insights, your email program could be at risk.
Hidden Anchor

What if I don’t use DMARC?

Technically, there is no penalty. MBPs aren’t unfavorably treating mail without a DMARC policy associated with it, but you certainly won’t benefit from the additional signals DMARC can send to the receiver. You also put yourself at a greater risk for reputational damage because you could be spoofed without your knowledge. If you have SPF and DKIM set up, it shouldn’t be a major ordeal to add DMARC to the mix. However, if you don’t want to add DMARC, you don’t necessarily face a crash-and-burn scenario with your email program.

Discover how Everest can help you set up and monitor proper email authentication to keep your program safe and secure.

Products

BriteVerify

BriteVerify email verification ensures that an email address actually exists in real-time

DemandTools

The #1 global data quality tool used by thousands of Salesforce admins

Everest

Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality

Solutions

Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time